Portions of our extras server, extras.denverpost.com were compromised on May 19, 2009. The malicious changes made persisted until they were removed Monday June 29.Another applications server was compromised from Saturday June 27 at 8:39 a.m. MDT until Monday June 29 at 2:48 p.m. MDT. Portions of three Denver Post domains hosted on that server were affected. During this time changes to files that appeared on Denver Post sites were made — those changes added script calls that downloaded malware from remote sites. Those malicious changes have been removed from the site.

Our extras server was compromised on May 19, before we activated an IP whitelist (a list of approved IP addresses that only allows people in certain locations to connect to the server). On that day 317 files were edited and had malicious code added to them. Google discovered this malicious code Saturday June 26, which is why some of you saw warnings when visiting denverpost.com .

If you visited any of those pages between Saturday June 27 at 8:39 a.m. MDT until Monday June 29 at 2:48 p.m. MDT, you may be infected.

To find out if you may be infected:

Copy the title of the page (it’s the text in the list after the colon, and it is not linked).

Open up your browser history.

Paste the page title into your history search.

If it shows up in your history, you should check the date you visited it. How you do that depends on your browser and your browser version.

Also, if our weather page, “Denver CO Weather 80201 Forecast”, shows up, you are only at risk if the URL of the page is http://weathernow.denverpost.com/index.php . If you have http://weathernow.denverpost.com/hw3.php as the URL, you are safe.

The malicious code is gone from our applications server. The mistake that allowed access to the applications server has been corrected. Our IP whitelist had been accidentally disabled (we disabled it while attempting to deny all accesses to the server), which is what allowed the attacks. That mistake has been fixed, and the malicious code removed.

No personal identifying information was compromised during this incident.

I and the online team are sorry for subjecting our readers to another incident like this. It was a leftover of the server compromises that occurred in May. We have increased the security and accountability of our extras server. We are also working on teaching more people the steps to take when a vulnerability has been reported, so that mistakes like the one that led to our applications server being compromised don’t happen again.